>BleepingComputer has confirmed with multiple companies that associated data samples shared by the threat actor are valid.
>In addition to the data, rose87168 shared an Archive.org URL with BleepingComputer for a text file hosted on the "login.us2.oraclecloud.com" server that contained their email address. This file indicates that the threat actor could create files on Oracle's server, indicating an actual breach.
Oracle probably should have just admitted the validity up front.
It's not like there are any real penalties to a breach. Lying about it is probably a worse PR hit than the breach itself.
The SEC selectively enforcing the rule does not prohibit a shareholder suit against the company. "Everything Everywhere Is Securities Fraud" after all.
Additionally, while not specific to this SEC enforcement action, corporations also have to think long term, just because this administration is not enforcing laws, doesn't mean the next one can't reach back and do so, the laws are still on the books after all.
Have their been any GDPR fines that amount to more than a rounding error of Oracle's revenue? Admittedly, I don't watch too closely, but from the ones I am aware of, I haven't seen any GDPR fines that made me finally think "wow, that might actually count as a punishment". (I would honestly be happy to learn of some!)
There are disclosure laws in the US as well, but again, the fines are like a days worth of revenue. Maybe the breached company has to provide a year of credit monitoring for the affected persons, if lucky.
Several of the fines have been in the hundreds of millions of dollars - and while not crushing to Oracle, that's actual money that will definitely change behavior..
https://www.enforcementtracker.com/
Many of these are against public bodies... Hundreds of pages with lawyers back and forth for in the end money going from one part of the government to another...
The largest fine ever issued is about 2% of Oracle's 2024 revenue. If we average the top 5 fines ever issued (this breach surely wont result in the largest GDPR fine ever), it'd be about 1% of Oracle's 2024 revenue. So, between ~3.5 and ~7 days worth of revenue, if we're lucky and get a top 5 GDPR fine?
I'm not sure that is in the "definitely change behavior" area yet (in fact, I'm confident it is not), but better than I thought.
If this breach receives a fine in the top 5 fines ever issued in the entire history of GDPR enforcement.
Don't forget to subtract out the money they saved from reduced investment in security over that time, as well.
Noticeable? Sure. Nowhere near noticeable enough, though, in my opinion. Especially if we're serious about it and recognize this isn't going to be a top 5 fine.
Presumably if it's due to negligence (ie intentional lack of investment) it will happen again if the underlying issue isn't fixed. So you have to factor that in.
If it happens repeatedly presumably the percentage will go up.
I think the only way this gets written off is if saving the money opens you up to such a low level of additional risk that you don't reasonably expect the event to happen more than once (if ever). But if the risk level is actually that low (I don't believe this to be the case, just playing out a hypothetical here) then arguably they wouldn't be in the wrong.
To put this in regular person terms, 3% of a 6 figure salary is $3k. That's more than enough to get most people's attention.
We rightfully see corporations as amorphous entities but I wouldn't like to be the VP/director that this fine gets blamed on. As probably don't other adjacent management staff.
Right - comparing it to a percentage of revenue ignores the managerial aspect of someone having to explain to their boss or to Larry why the $100M budget they manage is going to be 100% over.
They're not fines though if no money changes hands.
So far very few if any of these supposed penalties have actually been paid.
There have been a few good articles published about the total Euro amount of "penalties" and actual enforcement actions, and the ratio is something like 100:1 or worse.
According to the GDPR enforcement tracker link helpfully provided by the sibling commenter, we'll be lucky to see a ~1% fine of the 2024 revenue of Oracle. That's assuming that the fine issued is in the top 5 GDPR fines ever issued. Even 4%, the cited higher maximum on your link, is kind of peanuts (not sure this breach would even qualify for the "higher maximum", as I'm unfamiliar with the laws, so it could be a maximum of 2% if counted as a "standard maximum").
To me, that's still in the "cost of doing business" territory, not the "punishment" territory.
Have they ever issued a fine for 4% of revenue? That's the maximum fine possible, under the non-standard "higher maximum" category. This breach surely won't be given the maximum considering there isn't really anything noteworthy about it.
We should consider the maximum that has actually been issued, than subtract some off of that. You also have to subtract out all of the money they saved over the years of reduced investment into security.
I think that lands us squarely back into "cost of doing business" land.
It's impossible to take their fears seriously—literally any kind of social obligation is going to be scary for an entity with no desire to do anything but feed its owners.
Wait until you see what kind of reaction 40% gets! Existential threats will be the only things that work.
> In the EU under GDPR you have to disclose within 48h
72h actually, but yes, data protection and breaches to sensitive personal information is taken very seriously in the European Union and its legislation.
Alone the fact that Oracle was hosting their login gateway on a product with a known vulnerability from 2021 with a CVSS score of 9.8 is quite disturbing.
we pay millions to Oracle. We hit a bug and it took 6months for them to reproduce and acknowledge there is a bug. they now seem to be on the lookout for someone being able to produce a fix: sales and indian after-sales can't do that... curious!
Oracle seems just a moneygrabbing shell company at this point and I suppose the whole hyperscaler-cloud is developing towards that point with the leaders of those corporations repeating exactly the same talking points...
From my anecdotal experience: no. It is arcane, user hostile and buggy. And performance for many workloads is roughly in line with open source databases.
Some of the tooling around it is nice and it has some nice features but I would not recommend it even if it was free.
Edit: unless the great database is MySQL, they are actually decent stewards of it and while I still strongly prefer PostgreSQL MySQL is pretty good these days.
It's possible it has redeeming features but seems more common to be just legacy. Multiple apps accessing the same DB leading to a gridlock from migration POV. (Plus career oracle DBAs etc in the org).
As Oracle is so expensive it skews the architecture decisions towards multiple apps accessing the same DB.
Even worse. It skews the architecture decisions towards few large physical database servers instead of many small VMs, because licensing cost is per core in the whole VM cluster, so totally unaffordable. So you get reduced availability, higher risk, reduced separation, reduced security, higher datacenter cost, and they bill you an arm and a leg on top...
This often isn't related to a monolith vs microservice comparison. Large enterprises and institutions tend to run a lot of completely separate applications, which then end up sharing database infrastructure unnecessarily. Think of universities, for example.
Oracle extends the problem to the opposite end of microservices, by encouraging monolith DB consolidation, with unrelated monolith applications on the same db cluster for purely budgetary reasons.
> unrelated monolith applications on the same db cluster
If your "db cluster" is split into containers on one VM as you would do in any other cloud (because VMs are expensive), then you would have the same problem.
> encouraging monolith DB consolidation
Does it? I don't think so. I've worked with Oracle's stuff and the only real difference between Oracle Cloud and other clouds is that Oracle cloud is more expensive overall. There's nothing stopping you from running virtual machines and kubernetes in the same way you'd run it in any other cloud.
Yep. And then when the DBs are already on the same servers, when there's a need to connect previously unrelated apps to some master data, a shortcut presents itself. The DBA thinks: After all, why not? Why shouldn't I take it?
If you handle large amounts of geographical data you'll need to invest quite a bit to move to Postgres. It's possible but you're going to need to touch a lot of existing code and figure out new performance characteristics and so on. A lot of it will be hard for an average organisation, not because it's very sophisticated and complex but because it will be large amounts of boring rote work that many developers don't see how they could do programmatically.
Rumour has it the same holds for some other types of data as well but I lack immediate experience in other areas.
With Oracle you also have a rather robust, exhaustive documentation of error messages and even obscure stuff is likely to be figured out in some forum thread by someone and an indian guy. Postgres isn't exactly bad in this area but you can run into things where you need to go deep in debugging yourself and figure out minutiae of your specific version.
Containers also remove most of the issues with running several instances in development and CI environments.
I still don't recommend anyone to pick Oracle for greenfield stuff, instead you should work around shortcomings in other database engines, but for a large organisation with certain demands that already has buyin it makes sense.
PostGIS seems leaps better to me (like the PG DX in other aspects). Eg in Oracle you don't have 2d points. Adding a geo index can fail in the middle and leave the table in a unusable state that requires DBA magic to untangle. Etc.
This is just on top of the general technical inferiority (eg there are no transactional schema changes, so you don't get the safe go/no-go in those when applying those as part of app deploys with a migration tool)
SDO_POINT(x, y, 0) or SDO_POINT(x, y, NULL) ought to do what you want. Index corruption can be a nasty problem on Postgres too.
You need to decide if and how to perform a rollback, similar to how you would define a down() procedure in migration files. A schema change might imply changes to data, and in that case you might turn off client writes, copy the table, change it, validate, do rename dance, turn on client writes again. If it doesn't it might be much cheaper to operate on a single copy. How does Postgres decide on such strategies automatically?
Many moons ago when I was green and my skin was a lot smoother I pointed out to my then boss that we could relatively easily (a few weeks of work) move our product from Oracle to Postgres and save n x $1000 for each installation we shipped to a customer.
My personal goal was to avoid becoming an Oracle expert. (Why? Because even as someone who passed advanced Oracle training easily it was still extremely painful. One mistake towards the end of an installation could easily result in 2 days extra work to clear it out.)
Stupid as I was I said nothing about all the work we went through and only mention all the money we could save.
The response was something I learned a lot from.
It was mild and friendly and something along the lines of "here's what you don't get young lad: the customer pays for the Oracle license on top of our original price and we get a 10% cut. Changing to Postgres will effectively cost us money. Also for <this industry> when we say it is based on Oracle they feel safe."
I'm back at Oracle today after a decade of less painful options and Oracle is still painful but these days I'm not the DBA thankfully and only have to deal with connectionstrings that makes every other database look easy, different SQL syntax etc.
EPM products were originally built on SQLServer (or on nothing, like Essbase), and then adapted to run on Oracle. So it's more like "the products commercially forced to run on Oracle, like EPM".
Not that it matters that much - there are better EPM/CPM products now available, like OneStream ;)
- institutional inertia
- some weird consultant style people in key roles (this happens around cloudy stuff too)
- the DBA-team
- "we can't move everything!"
- "we just migrated off solaris!"
however every new project with sane leadership seems to decide against oracle.
Fun fact: Oracle has like 6+ LDAP/directory products, OAM is just one. Theres ODS, OIM, OID, OUD, OVD, NIS leftovers from Sun, and probably more honestly
OAM and OIM aren’t “LDAP/directory products” per se.
OAM is an access management product, used to implement stuff like SSO (single sign-on). So, for example, it comes with a module you can install in Apache which will intercept HTTP requests and redirect them to OAM’s login page - which may potentially talk to an LDAP to authenticate you. Or you can do stuff like define some URL patterns in an app as sensitive so they require a more secure authentication mechanism (such as 2FA or smart card), other URL patterns as less sensitive so password-only login is sufficient
OIM is basically about provisioning accounts from a source system into target systems. Those systems could be LDAPs from various vendors, but can also be HR systems (Oracle’s various offerings and SAP too), IBM mainframes (RACF, TopSecret, ACF2), Unix/Linux hosts, database tables, custom apps… also lets you do things like setup workflows to approve system access requests, you can configure it to require reapproval of high risk access requests by management every X months or else they get revoked (used for Sarbanes-Oxley compliance), etc
Source: I used to work for Oracle Engineering, in a team which handled escalations for these products-especially OIM, but I stuck my fingers in most of them. When I left (back in 2017, so a while ago now) they were putting a lot of effort into their cloud offering (IDCS, more recently replaced by OCI IAM), but I’m sure the on-premise offerings are going to stick around for a long time, especially because they have some customers (e.g. in the national security space) for which cloud is unlikely to be a viable solution any time soon
> In this email exchange, the threat actor says someone from Oracle using a @proton.me email address told them that "We received your emails. Let’s use this email for all communications from now on. Let me know when you get this."
E-mails are one of the sources at most public companies that are required to retain for a period of time (7 yrs?). Probably trying to avoid a paper trail?
Data breaches, unfortunately, have no impact to stock. Companies that use Oracle products are unlikely to migrate any time soon.
_future_ sales may be impacted and maybe some smaller players can migrate off. But Oracle will downplay it as much as possible.
“Deny. Delay. Defend.” Is not just a health insurance slogan.
Okay having worked at a top 3 insurance broker about 10 years ago when “Cyber” policies were being rolled out (h/t Beasley)…I wonder who underwrote Oracle’s policy and how much it was in that tower? No policy? Hope the D&O can cover the shareholder lawsuits! Wait, something something cozy with administration in power, rules subject to interpretation, etc.
Then again, Tyler Technologies blamed Judyrecords.com for their exposing reams of sealed cases in California because of their flawed obfuscation system and claimed it was a security breach (somehow skated on accountability there).
Rule #1 of a breach is never write the word breach in an email, hence the discussion off their dot com I figure…
Deny deny deny. Those that have already drunk the kool-aid will believe your denial. Those that are too lazy to look or only get their info from one source will not know any different than your denial. The rest are just wrong from being in opposition anyways.
It works anywhere as long as you are large enough of an entity
There are 4 big clouds? I had only ever heard of the big 3 mentioned until now (AWS, Azure, GCP). From a quick search, appears that the 4th is Alibaba Cloud.
What about Oracle Opera Cloud and Oracle NetSuite Cloud customer data—have they been stolen as well? Many many hotels around the world use Opera + NetSuite.
Not sure how long it will take them to accept responsibility in this case or at least confirm but Oracle has always played the denying game, it looks like their favorite business practice.
>In addition to the data, rose87168 shared an Archive.org URL with BleepingComputer for a text file hosted on the "login.us2.oraclecloud.com" server that contained their email address. This file indicates that the threat actor could create files on Oracle's server, indicating an actual breach.
Oracle probably should have just admitted the validity up front.
It's not like there are any real penalties to a breach. Lying about it is probably a worse PR hit than the breach itself.